.

Looking for advice for career path as a Ethical Hacker

<<

Disneycrack

Newbie
Newbie

Posts: 16

Joined: Sun Sep 11, 2011 8:08 am

Post Sun Sep 11, 2011 8:36 am

Looking for advice for career path as a Ethical Hacker

Hello,

First I would like to introduce myself. My name is Stafford, I'm 21 years old and am currently in the Army. Before the Army, I worked at Geek Squad as both an in-home and precinct agent (just call it a computer repairer) for 2 years before the military.

I have been trying to learn as much about computers as I could since I was about 10. I love everything involving computers. I had a ton of issues deciding on exactly what field I wanted to work in until I came across ethical hacking. I have gotten my feet wet with learning Python and the intricasies of Software Security.

I recently decided to change my degree from an Associate's in Software Programming to an Associate's as a Network Systems Administration. I have been trying to get in contact with some professional's in the field that can help me chose the right path to get into the Ethical Hacking field. Once I ETS out of the Army in two years I will be pursuing a career in this field. I have found the perfect field for me.

My question is where would a beginner start? I have been researching a ton and have only really found certifications you need, but have had trouble with a good Bachelor's to obtain for the field. Any help would be greatly appreciated, and if you have questions for me, do not hesitate to ask as I am really trying to get my path cleared for once I ETS so I can support myself and my wife once I leave the Army.

Thanks for all the help in advance.
<<

Disneycrack

Newbie
Newbie

Posts: 16

Joined: Sun Sep 11, 2011 8:08 am

Post Sun Sep 11, 2011 8:40 am

Re: Looking for advice for career path as a Ethical Hacker

I also obtained a Secret Security clearance in July of 2009 when I joined the Army.
<<

cd1zz

User avatar

Recruiters
Recruiters

Posts: 566

Joined: Sun Oct 03, 2010 9:01 pm

Post Sun Sep 11, 2011 6:59 pm

Re: Looking for advice for career path as a Ethical Hacker

The network and systems admin path one way to do it. That's the way I did it. Hang on to that security clearance. There are tons of federal gigs on the east coast that want clearance.

This is actually a pretty common question on these boards, "how do I get into security..." Like I just told the last guy, there is a 100 ways to do it, just depends what part of security you're interested in.
<<

Disneycrack

Newbie
Newbie

Posts: 16

Joined: Sun Sep 11, 2011 8:08 am

Post Sun Sep 11, 2011 10:26 pm

Re: Looking for advice for career path as a Ethical Hacker

I was looking to be more focused on the networking side.
<<

millwalll

Post Mon Sep 12, 2011 3:28 am

Re: Looking for advice for career path as a Ethical Hacker

Hi Stafford,

I think the best way forward would be hold on to that security clearance and try teach yourself as much as you can. It is very hard to get into security it took me 8 months to get a junior position with a company.

Most companies in the UK look for tester who have done CREST or TIGER.
It would be worth looking at these and seeing what you know and do not know on the syllabus and try learn from them. Also maybe try and do some hacking courses on your own just to build you skills up. OSWP or hackingdojo there are also lots other just look on forums they are the two that spring to mind as I have done OSWP and doing hackingdojo.

Having a good understanding of networking is good  as well web applications.

You should also get involved within the community depending on where you are in the UK there are forms like this one. you have DC4420 once a month in London or places like the BCS they have lots groups this great way to get you name into the industry and I got most my interview from people I meet at these locations. Also if you are not on linked in I would recommended joining up good way to network again have had lots people in the industry help me from that site.

I hope this helps here are a few links too.

http://jamierougive.co.uk/ My site maybe some use
http://dc4420.org/ dc4420
http://ypisg.bcs.org/ Young professional information security group


hope this helps :) and good luck!
<<

Triban

User avatar

Hero Member
Hero Member

Posts: 620

Joined: Fri Feb 19, 2010 4:17 pm

Post Mon Sep 12, 2011 7:49 am

Re: Looking for advice for career path as a Ethical Hacker

Like cd1zz mentioned the Net admin route is a good place the start, but certainly don't limit yourself to just networking.  As an ethical hacker you will need to be a little versatile, essentially you will be looking for a job as a pen tester either external or internal to a company.  If you work for a large enterprise you may be asked to test their systems before they go and have an outside firm have at it.  You may need to be able to test various platforms from web applications to trying to bypass network controls on the switch/router end of things.  Too keep yourself from getting overwelmed you will want to look at becoming good in a particular area, specialize in what is of the most interest to you.  Keep your scripting skills sharp and always keep informed.  Twitter is a great place to get your news.  There are a few key pros out there to follow.  Attend conferences, don't worry you don't need to drop the cash for something like DEFCON, there are plenty of free or inexpensive conferences out there.  Some occur pretty frequently.  I highly recommend you check out a Security B-Sides conferences http://www.securitybsides.com.&nbsp; Those are great places to meet some local talent and network.

Also have you considered trying to utilize the Army to get a foot hold somewhere?  It seems the DoD is trying to capture up talent to man their Cyber Defense programs, you already have the clearance, and they would probably invest in furthering your interest so long as it suits their needs.  Otherwise, don't stop at the Associates, consider the Bachelors since many private sector companies like to see that.  Though like they said, with the clearance and military background some things can be overlooked.  So pick your poison, specialize and hunt for the experience.  The certs are great to determine what you need to learn to be at that level, getting them is even better but having a good amount of background knowledge beforehand is also good.

Good luck and also these boards are a wonderful place to come for guidance.  So don't be a stranger.
Certs: GCWN
(@)Dewser
<<

Disneycrack

Newbie
Newbie

Posts: 16

Joined: Sun Sep 11, 2011 8:08 am

Post Mon Sep 12, 2011 9:18 am

Re: Looking for advice for career path as a Ethical Hacker

Thank you for all that information, I will definetly utilize it. I plan on being on these boards regularly to get well versed in the field. I am currently in Iraq at the moment, but will have to get up on these conferences to get my face out there and meet some people. Thanks again
<<

rance

User avatar

Full Member
Full Member

Posts: 212

Joined: Thu Jan 03, 2008 5:24 pm

Location: Earth

Post Mon Sep 12, 2011 10:23 am

Re: Looking for advice for career path as a Ethical Hacker

My typical answer to these types of questions is, you need to know a little bit about everything, especially as an app pen tester.  A few scenarios:

Site1:
Running on a shared hosting server
Mostly static HTML only site
Uses a flat file database to present some data

Site 2:
Web 2.0 site
Tomcat on Apache
MySQL database
Uses PHP and RUBY
Also uses SOAP and AJAX
Heavily driven with Javascript
Only ports 80 and 443 are open

Site 3:
Web 2.0 Site
IIS server
MSSQL database
Uses .Net and ASP
Relies heavily on Web Services
Ports 20, 22, and 23 are open

So, here we've got potentially 3 different server technologies, 5 programming languages, 3 data base types, 2+ web 2.0 technologies, and 3 if not 5 network ports to investigate.  (Some people might disagree that ports aren't part of a app pen test, but if through scarping data off your site, I'm able to put together a username/password combo, and I can then SSH to your box successfully, I call that a win.)

In other words, you need to know a lot about all the underlying technologies.  It's also a good idea to know not just that a vulnerability exists, but to understand HOW the exploit works.  You can run an automated too, and it may come back with, say, an XSS vulnerability.  Do you just report it at that point? No.  You need to verify it.  This is where the knowledge comes in to play.  You need to be able to repeat the attack without the help of a scanner, and you need to understand it enough to be able to explain it to your target audience.  Just showing a pop-up box that say "XSS ALERT!" isn't a very swaying example, and in most cases you'll get the *shrug* and a "so? you made a box pop up."  You need to be able to articulate why it's dangerous and how it can be exploited.

Not trying to dissuade you, just encouraging you to learn a bit about all technologies that drive web sites.  The more knowledge you have, the better tester you'll be.

(Of course, if you're going in to network pen testing, that's different ;D )

Good luck!
Poking at security since 1986.  +++ATH
<<

Disneycrack

Newbie
Newbie

Posts: 16

Joined: Sun Sep 11, 2011 8:08 am

Post Mon Sep 12, 2011 11:36 am

Re: Looking for advice for career path as a Ethical Hacker

I don't plan on just sticking to networking, just trying the best way to get my foot in the door. From there I plan on expanding my horizons to other areas in the field. Thanks for the links and help Rance and Jamie, I will make sure to check into these for sure.
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Mon Sep 12, 2011 1:25 pm

Re: Looking for advice for career path as a Ethical Hacker

<<

the_Grinch

User avatar

Newbie
Newbie

Posts: 45

Joined: Tue Jan 13, 2009 4:24 pm

Post Tue Sep 13, 2011 1:06 am

Re: Looking for advice for career path as a Ethical Hacker

sil - thanks for reposting this, I had been looking for it and I knew it was from you, but couldn't find the address!
BS-CST Security+

Blog:  http://havewire.blogspot.com/
<<

Disneycrack

Newbie
Newbie

Posts: 16

Joined: Sun Sep 11, 2011 8:08 am

Post Tue Sep 13, 2011 4:09 am

Re: Looking for advice for career path as a Ethical Hacker

Thank you very much for that link sil. That was absolutely incredible and will make sure that I bookmark that immediately
<<

Disneycrack

Newbie
Newbie

Posts: 16

Joined: Sun Sep 11, 2011 8:08 am

Post Tue Sep 13, 2011 9:31 am

Re: Looking for advice for career path as a Ethical Hacker

Sil, once again thank you for that link. Even though I didn't understand around half of it, I at least know where to get started to try and get a foot up before I get real deep into everything.
<<

Disneycrack

Newbie
Newbie

Posts: 16

Joined: Sun Sep 11, 2011 8:08 am

Post Tue Sep 13, 2011 9:49 am

Re: Looking for advice for career path as a Ethical Hacker

My next question would be which certifications to obtain first?
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Tue Sep 13, 2011 11:24 am

Re: Looking for advice for career path as a Ethical Hacker

I think you need to pick your own poison and go from there. Think of security in terms of a baseball team. Here you are saying: "I want to play which position should I aim for?" What are your strengths and weaknesses. Focus on your weaknesses to bring them up to par with your strengths while in parallel upping your strengths.

In security, there are a lot of avenues to choose from. Forensics, pentesting, application security, cryptography, networking, etc. Each have their unique methodologies, technologies, protocols, pros and cons.

Examples:

++++++++++

Forensics. Where would you want to fit in? Working as an incident responder researching malware, researching e-Discovery, researching the cause of a compromise? What field? Pros: Banking, insurance, defense industries, huge Fortune 100s are always in demand for these types of individuals.

Cons: Job can be linear, stressful, repetitive.

Certifications: (real world relevant) GCFE, GCFA, EnCe, GCIH, ACE, CCE, GREM, WCNA (Wireshark), GCIA

++++++++++

Pentesting: Where would you want to fit in? Define pentesting. Too many companies have turned this field into a tool (Core Impact, Metasploit, Nessus, etc) however there is more to pentesting than running tools. In order to fit into a well rounded position, the document I linked you too will give you excellent foundations needed. You then need to progress into a more linear stage (focus on applications (which web application, business applications (SAP, etc)).

Pros: Can be fun, creative, non-linear (no two pentests are ever the same)

Cons: Industry has created too many retards that rely far too much on tools. Many industries are now mandated to have penetration testing (PCI requirement). With that stated, many companies are relying on point and click drop boxes (QualysGuard) and calling it a "pentesting day."

Certifications: (the ones that count) GPEN, CEPT, OSCP, OSCE, CPT, RWSP

++++++++++

Network security: Where would you want to fit in? Managing firewalls, IPS, IDS, DLP, acronym hell? Performing network analysis' with tools and hardware such as nGenius, Netwitness, Wireshark, etc., this can criss-cross the forensics realm.

Pros: ALL COMPANIES need network security period.

Cons: Can be as linear as in point A to point B

Certifications: (ones that count) WCNA, CC{N,D,S}P, GCIH, GSEC

++++++++++

Take note, all the certifications I listed are TECHNICAL, for those wondering why CISM, CISA, CGEIT, CISSP, etc isn't listed. And NO, the SSCP to me is not a technical cert. When I state "ones that count / relevant" I mean the ones you *truly* want to aim for as you WILL LEARN while getting them. Not to take anything away from say the C|EH, CHFI but it is what it is. I felt the certifications I listed would help you LEARN something as opposed to dumping a billion tools on your lap and telling you "hey this is a security tool, learn this tool's syntax and we will give you a shiny certificate!"

Your best bet regardless of any advice you see from me or anyone else is to determine something that you can enjoy while making money. I would hate to focus on Forensics only to have a job I hated doing e-Discovery 24x7x365. I know people that dread getting into the field. They work to dissect/analyze info, go to court, are stressed out as all hell. The money they make doesn't cover sanity, happiness.

Go over to Dice.com and check the markets for certs also. Search for the certification itself to see its demand and WHO is asking for that particular cert. That is a good baseline as is e.g:

http://www.payscale.com/research/US/Cer ... %29/Salary
http://www.payscale.com/research/US/Cer ... %29/Salary
http://www.payscale.com/research/US/Cer ... %29/Salary
http://www.payscale.com/research/US/Cer ... %29/Salary
http://www.indeed.com/salary/q-Forensic ... k,-NY.html
http://www.indeed.com/salary?q1=GREM&l1=New+York%2C+NY

Hope that helps
Next

Return to Career Central

Who is online

Users browsing this forum: No registered users and 2 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software